search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.24k stars 1.73k forks source link

SAML IdP login redirector does not handle HTTP-POST binding request #44279

Closed flyinghermit closed 1 month ago

flyinghermit commented 1 month ago

Expected behavior:

The SAML IdP auth middleware should handle both the HTTP-Redirect binding and HTTP-POST binding requests.

Current behavior:

In an SP initiated SSO, if a user does not have an active authenticates session with Teleport, the IdP middleware redirects user to login URL with a redirect_uri that points to IdP SSO endpoint and a SAML authentication message: https://proxy/web/login?redirect_uri=https://proxy/enterprise/saml-idp/sso?SAMLRequest=<authN_message>&RelayState=<relay_state>.

The middleware however only considers for HTTP-Redirect binding request (HTTP GET) and appends value of URL query params to the redirect_uri. As such, when SP uses HTTP-POST binding, the SAML authentication message from the request body is ignored, which means the redirect_uri will be empty and the SSO breaks: https://proxy/web/login?redirect_uri=https://proxy/enterprise/saml-idp/sso<missing_SAMLRequest>

Bug details:

flyinghermit commented 1 month ago

This issue prevents proper integration with ArgoCD service provider, which sends HTTP-POST binding request - https://github.com/gravitational/teleport/issues/44077